Information Technology Reference
In-Depth Information
to publish our results on sourceforge by the end of 2005) and stable implementation
in architecture requiring secure and forensically compliant stealth-based syslogging.
Following you have the test bed graphical representation of the SecSyslog model
(
Fig. 13
).
We decided to install a SecSyslog implementation in our TestLab placed at Uni-
versity of Milano at Crema. It will help us in integrating our existing Honeynet with
two more modules.
In any case, the objective of this chapter is to act as a tutorial for log and event
correlation. To ensure that the operations comply with the general principles of dig-
ital forensics, the tools used have to meet a series of requisites. The IRItaly Project
is currently seeking to achieve precisely this objective. At the moment, the most im-
portant problems to resolve are the manageability of distributed architectures, with
particular emphasis on top-down and real time approaches. We currently see a gap
between the two approaches, which are pursued, respectively, by ISVs and by the
GPL world. The latter is famously less well financed than the former, and for this
reason cannot use the same methodology. In any case, the hope is to guarantee a
minimum of autonomy to those operators who are not able to invest large sums in
complex distributed systems.
A number of current scientific conferences are unquestionably important. Some of
them deal with applied digital forensics, others delve into forensic engineering. The
most recent Digital Forensics Research Workshop (
http://www.dfrws.org
)
, for exam-
ple, hosted a series of innovative papers discussing how the investigative paradigm
is changing, needs that have developed over time, and past experiences.
There are studies that show the effectiveness of network forensics and corre-
lation tools, at least in the prototype stage, supported by advanced display tools.
Researchers at the Iowa State University Department of Electrical and Computer En-
gineering have developed a prototype network forensics analysis tool that integrates
presentation, handling and automated analysis of intrusion evidence. In this case, the
evidence graph was proposed as a novel graphic tool to facilitate the presentation
and handling of intrusion evidence. For automated evidence analysis, a hierarchical
reasoning framework that includes local reasoning and global reasoning has been
developed. In local reasoning, a Rule-based Fuzzy Cognitive Map (RBFCM) was
deployed to model the evolving state of suspicious hosts. In global reasoning, the
project aims to identify groups of strongly correlated hosts involved in the attack and
determine their relationships within that scenario.
While part of the scientific community is engaged in creating new tools, another
part concentrates on investigative methods. One of the most frequently reported prob-
lems is the high percentage of errors in the so-called incident reproduction phase.
According to the dominant doctrine, there are three types of reproduction: Physical,
Logical, and Theoretic. The first is when investigators succeed in wholly reproduc-
